WastedLocker
WastedLocker is a ransomware family attributed to Indrik Spider that has been used since at least May 2020. WastedLocker has been used against a broad variety of sectors, including manufacturing, information technology, and media.[1][2][3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1112 | 修改注册表 |
WastedLocker can modify registry values within the |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
WastedLocker created and established a service that runs until the encryption process is complete.[2] |
| Enterprise | T1574 | .001 | 劫持执行流: DLL Search Order Hijacking |
WastedLocker has performed DLL hijacking before execution.[2] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
WastedLocker's custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.[2] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
WastedLocker has used cmd to execute commands on the system.[2] |
| Enterprise | T1120 | 外围设备发现 |
WastedLocker can enumerate removable drives prior to the encryption process.[3] |
|
| Enterprise | T1486 | 数据加密以实现影响 |
WastedLocker can encrypt data and leave a ransom note.[1][2][3] |
|
| Enterprise | T1083 | 文件和目录发现 |
WastedLocker can enumerate files and directories just prior to encryption.[2] |
|
| Enterprise | T1222 | .001 | 文件和目录权限修改: Windows File and Directory Permissions Modification |
WastedLocker has a command to take ownership of a file and reset the ACL permissions using the |
| Enterprise | T1106 | 本机API |
WastedLocker's custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload.[2] |
|
| Enterprise | T1012 | 查询注册表 |
WastedLocker checks for specific registry keys related to the |
|
| Enterprise | T1027 | .001 | 混淆文件或信息: Binary Padding |
WastedLocker contains junk code to increase its entropy and hide the actual code.[2] |
| .013 | 混淆文件或信息: Encrypted/Encoded File |
The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.[2] |
||
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
WastedLocker can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later.[2] |
| Enterprise | T1490 | 系统恢复抑制 |
WastedLocker can delete shadow volumes.[1][2][3] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
WastedLocker can execute itself as a service.[2] |
| Enterprise | T1135 | 网络共享发现 |
WastedLocker can identify network adjacent and accessible drives.[3] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.[2] |
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
WastedLocker has copied a random file from the Windows System32 folder to the |
| .004 | 隐藏伪装: NTFS File Attributes |
WastedLocker has the ability to save and execute files as an alternate data stream (ADS).[3] |
||
Groups That Use This Software
References
- Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
- Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
- Walter, J.. (2020, July 23). WastedLocker Ransomware: Abusing ADS and NTFS File Attributes. Retrieved September 14, 2021.
- Podlosky, A., Feeley, B. (2021, March 17). INDRIK SPIDER Supersedes WastedLocker with Hades Ransomware to Circumvent OFAC Sanctions. Retrieved September 15, 2021.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
- Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.